LMIBE: Lattice-Based Matchmaking Identity-Based Encryption for Internet of Things

Under the usage of new technologies, Internet of Things (IoT) develops rapidly and provides a great convenience for our lives. It is critical for ensuring security to IoT systems as the tremendous growth of IoT applications. Although many cryptography tools (such as identity-based encryption) have been given to provide appropriate security in IoT covering various application fields such as smart home, how to guarantee data confidentiality, provide reasonable data source identification, and resist quantum attacks simultaneously has been a challenging problem. To address this problem, we propose a matchmaking encryption scheme named lattice-based matchmaking identity-based encryption (LMIBE) which can provide bilateral access control for both sender and receiver in IoT systems, and resist quantum attacks. Moreover, we give a formal definition and a security definition for our scheme. Security proof shows that our scheme is secure under the proposed security definition. Finally, by comparing the performance of our scheme with existing works, our proposed scheme has a broad application prospect in IoT environment.


I. INTRODUCTION
The Internet of Things (IoT) is a complex and extensive network taking charge of establishing communication among billions of devices. With the continuous development of various types of devices and technologies, IoT technology may be involved in all aspects of our daily life, such as smart home, healthcare, vehicle networks, etc. [1], [2]. In recent years, the primary concern still concentrates on ensuring security and privacy of data communication among IoT devices.
Identity-based encryption (IBE) [3], [4], [5], [6] is an efficient and important measure of protecting data privacy and ensuring secure data communication in IoT. IBE eliminates the barrier raised by the exquisite certificate The associate editor coordinating the review of this manuscript and approving it for publication was Theofanis P. Raptis . management needed by other public key encryption schemes, and in which the sender (e.g., sensors) only needs little overhead in encrypting data. For example, IoT devices (senders) can use the identity of other IoT devices (receivers) to encrypt selected data. However, IBE only executes receiver (e.g., servers) access control and does not hold sender access control. Therefore, it is essential to provide a cryptographic mechanism satisfying receiver access control for data confidentiality and sender access control for data source identification.
To solve this problem, a matchmaking IBE (MIBE) scheme is constructed in CRYPTO'19 [7] to realize the access control of the sender and the receiver. The MIBE scheme allows the sender to specify the identity of the receiver for data confidentiality, the receiver could decide whether the data are from the intended sender. That is, MIBE scheme can achieve data confidentiality, receiver access control VOLUME 11, 2023 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ and data source identification in the IoT environment by checking the matchmaking of the identity for sender and receiver. However, the current existing MIBE scheme can not resist quantum attacks in the circumstances of the rapid development of quantum computers. In this paper, we construct a lattice-based MIBE (LMIBE) scheme based on IBE and the hardness of the learning with errors (LWE) problem and short integer solution (SIS) problem. LMIBE not only has the advantages of lattice-based cryptography and MIBE scheme, but also has a certain practical value and a broad application prospect in IoT environment. This paper has the following contributions: 1. We present the LMIBE scheme that guarantees three security properties simultaneously: (i) message confidentiality, (ii) data source identification, (iii) post-quantum security.
2. We put forward the secure definition formally of the LMIBE scheme, and provide the process of concrete construction of LMIBE and the formal security proof based on the LWE problem and SIS problem.
3. LMIBE provides a bilateral access control for both sender and receiver, and it allows the receiver to undertake the work of data identification by outsourcing an access structure to a semi-trusted third party (sanitizer) which helps receivers to verify whether ciphertexts satisfy the access structure.
4. To evaluate the theoretical performance of LMIBE, we make comparisons between LMIBE and other latticebased IBE schemes. The comparison results show that LMIBE possesses better functions and performances than others.
The rest of this paper is organized as follows. In Section II, we review the existing works related to IBE. In Section III, we recall some theoretical background for lattice-based cryptography. Section IV provides the security definition and system model of our proposed scheme. In Section V, we show the process of concrete construction of our scheme and the security proof. In Section VI, we make a comparison between our scheme and other related schemes in theory evaluation. In Section VII, we present a conclusion.

II. RELATED WORK
As a logical and physical extension of the current internet, IoT [8] is made up of billions of smart connected devices or things [9]. Because these devices in IoT are physically fragile and are usually left unsupervised, IoT applications are often subject to security attacks. Thus, securely transferring data is a significant issue in IoT.
IBE is seen as an efficient encryption tool for secure data communication in IoT because of no requirement of complicated certificate. IBE was first introduced by Shamir [10], while actual implementation was only provided recently. Cocks [11] constructs an IBE scheme by applying quadratic residues modulo a composite (also refer to [12]). IBE schemes [13], [14], [15], [16], [17] have been introduced in the last few decades. Authors [18] introduced the notion of Hierarchical IBE and a pseudo-RSA digital certificate technology that can store an IBE key in the RSA key structure of a certificate is presented in the work [19]. In addition, named fuzzy IBE (FIBE) schemes [20], [21], [22], [23] are proposed in order to ensure the property of error-tolerance. Especially, Mao et al. [23] presented a FIBE scheme for confidential communications in IoT. Furthermore, a study based on IBE provides an authorized equivalence test for a cloud-assisted IoT [5].
Although above mentioned IBE schemes solve some issues in terms of public safety sharing requirements, they can not provide bilateral access control services for users with some particular needs. Ateniese et al. [7] tackled this problem by constructing a matchmaking IBE (MIBE) scheme. MIBE scheme gives stronger privacy protection because it enables the sender to specify the identity of the receiver and ensures the receiver verifies the identity of the sender. However, the MIBE scheme fails to provide quantum security when facing quantum computers.
With the confront of the quantum age, post-quantum cryptography systems have been introduced and a standardization process [24] has been initiated by the National Institute of Standards and Technology (NIST) so as to confront the new computational means. For the aspect of post-quantum cryptography, a great choice is the lattice-based cryptography since its security proofs are based on the worstcase hardness of lattice issues. Additionally, lattice-based IBE schemes have been established for the purpose of resisting quantum attacks, the interested readers can refer to the papers [25], [26], [27], [28], [29]. However, the lattice-based MIBE scheme still does not been constructed at present. In our LMIBE, the verifying algorithm can prevent the unauthorized sender, such that only the identity of the sender matches successfully with the identity specified by a receiver, the receiver with valid decryption keys can recover the message.

A. NOTATIONS
Denote R, Z as the set of real and integer numbers respectively. We denote Z q as {0, 1, ..., q − 1} with addition modulo q. Denote Z m as the set of integer vectors. If vectors belonged to Z m are linearly independent when reduced modulo q, then we say these vectors are Z q independent. Let m be a positive integer, [m] is denoted by {1, 2, ..., m}, and ⌈m⌉ and ⌊m⌋ denote the minimum integer larger than m and the maximum integer smaller than m respectively. Furthermore, we use lower-case letters (for example b) and capital letters (for example B) to present vectors assumed in column form and matrices, and b i denotes the i-th component of vector b and B i denotes the i-th column vector of a matrix B respectively. In addition, B denotes the Gram-Scahmidt orthogonalization of B. ∥B∥ and ∥b∥ denote the norm of B and b in Euclidean norm. A probabilistic polynomial-time (PPT) algorithm is a randomized algorithm that works in strict polynomial time.

B. LATTICE
Assume B = b 1 | · · · |b m belongs to R m×m , whose columns vectors b 1 , · · · , b m ∈ R m are linearly independent. The following set [30] is a lattice generated by B, Definition 1 [31]: Let q be a prime number, A 0 ∈ Z n×m q and ς ∈ Z n q , we have . Theorem 1 [32]: For m = ⌈6n log q⌉ with an odd integer number q ≥ 3, there exists a PPT algorithm TrapGen(q, n) that returns matrixes with all but negligible probability in n.
Assume L ⊆ Z m , σ ∈ R >0 is an arbitrary positive parameter and c ∈ R m is an arbitrary vector. We denote a Gaussian-shaped function on R m as ρ σ,c (ι) = exp − π ∥ι−c∥ 2 σ 2 by using center c and Gaussian parameter σ . Let the sum of ρ σ,c over L be ρ σ,c (L) = ι∈L ρ σ,c (ι). And define the discrete Gaussian distribution [33] over L with Gaussian parameters σ and center c as D L,σ,c satisfying We will often define the Gaussian distribution D L,σ,c over We can apply a short basis of ⊥ q (A ) with some ⊆ [t] to generate a short basis of ⊥ q (A). Theorem 2 [34]: Assume positive integers n, q, m, t satisfy q ≥ 2 and m ≥ 2n lg q. There is a PPT algorithm SampleBasis, when inputting A ∈ Z n×tm , a set

with non-negligible probability). Additionally, the distribution of T B only relies on A and ϒ (but does not rely on B and ) up to a statistical distance.
Theorem 3 [28]: Then for a vector ν ∈ Z n q , there exists a PPT algorithm SamplePre The security of our construction for LMIBE scheme is based on the LWE problem and SIS problem, the definition of LWE problem and SIS problem as follows. Definition 2: [35] Assume q is a prime, n is a positive integer, and χ is a distribution over Z q . An (Z q , n, χ)-LWE problem instance contains access to an unauthorized challenge oracle O, which is either a noisy pseudo-random sampler O s associated with a secret key s ∈ Z n q or a truly random sampler O , they have the following behaviors respectively: is a noise sample from χ, and s ∈ Z n q is a random secret key. O : returns truly random samples from Z n q × Z q . Note that we can query the oracle O many times for the Definition 3 (SIS problem): Given the parameters n, m, q, η and a random matrix A 0 ∈ Z n×m q , the SIS problem is to find a nonzero vector e ∈ Z m q such that ∥e∥ ⩽ η and A 0 e = 0 ( mod q).

IV. PROBLEM FORMULATION
LMIBE allows to verify the ciphertext and prevents unauthorized senders, such that only valid decryption keys can be used to obtain the message. This section gives the security definition and system model of LMIBE.

A. SYSTEM MODEL
As illustrated in Fig.1, our proposed LMIBE scheme consists of four types of independent entities: key generation center (KGC), sender S, a semi-trusted third party called sanitizer and receiver R. The KGC is regarded as a trusted entity that initializes the LMIBE scheme. The KGC creates public parameter pk and master secret key msk and use them to generate the encryption key ek σ 1 and decryption key dk ρ 1 according to the specified individual's identities ρ 1 and σ 1 . Then the KGC distributes the encryption key ek σ 1 to the sender S and decryption key dk ρ 1 to the receiver R (see ① in Fig. 1). In order to send a message M to receiver R, a sender S uses its encryption key ek σ 1 and identity rcv of authorized receiver to encrypt the message, and then sends the ciphertext CT to the sanitizer (see ② in Fig. 1), after receiving the ciphertext CT , the sanitizer verifies whether the ciphertext CT matches the identity snd specified by the receiver or not. If matching success i.e. snd = σ 1 , then the ciphertext CT is leaved, otherwise, the sanitizer discards it. Finally, the receiver R can access the sanitizer and decrypts correctly the ciphertext CT if and only if rcv = ρ 1 by using the decryption key dk ρ 1 (see ③ in Fig. 1). Formally, LMIBE contains six polynomial algorithms Setup, SKGen, RKGen, Enc, Verify, Dec. The formal definition of LMIBE is defined as follows.
• Setup(1 λ ) → (pk, msk): The KGC is regarded as a trusted authority that initializes the LMIBE scheme. It runs the Setup algorithm by taking a security parameter λ as input, and generating public parameter pk and the master secret key msk as outputs. For simplicity, the common input pk is left out in other algorithms.

V. CONSTRUCTION OF LMIBE
We now provide the process of concrete construction of LMIBE and the secure proof.

B. PARAMETERS AND CORRECTNESS
If CT is a valid ciphertext, rcv = ρ 1 and snd = σ 1 , we have The formula x − e T y is the error term. To ensure the system correctly work, we need the bound of the error term to be controled by q 5 , and the TrapGen algorithm works very well (that means m > 6n log q), and σ is large enough for SampleBasis and SamplePre algorithms, and Regev's reduction applies (that means q > 2 √ n/α). In order to meet the above demands, we take n as the security parameter and let (m, α, σ, q) satisfy m = 6n 1+δ , α = m 2 w(log n) −1 , σ = mw(log n), q = m 2 √ nw(log n).

C. SECURITY PROOF
We now show the following theorem to ensure the security of our proposed LMIBE scheme based on the LWE assumption.
or randomly selected. To settle the LWE problem, algorithm B communicates with A as follows.
Initial: A submits rcv * as challenge. Setup: B assembles A 0 ∈ Z n×m q by setting A 0 = (u 1 , u 2 , · · · , u m ). Then B returns pk = A 0 to A. H 1 queries: A queries the random oracle H 1 as follows. If the query σ i is in the list {σ i , A i , C i } ∈ L 1 , then B sends H 1 (σ i ) = A i to the adversary A. Else, B uses the algorithm TrapGen to generate A i ∈ Z n×m q and a short basis is random, then adds If q i = q * , B aborts. Else, B returns dk ρ i = e i as decryption key to the adversary A. Challenge: The adversary A selects two plaintexts M 0 , M 1 ∈ {0, 1}, and two identities σ 0 , σ 1 ∈ {0, 1} * with the limitation that σ 0 and σ 1 have never been queried in Query phase 1. B first chooses ζ ∈ {0, 1}, then queries σ ζ to oracle H 1 and obtains {σ * ζ , A * ζ , C * ζ }. Then B uses algorithm SampleBasis A 0 |A * ζ , C * ζ , r = {2}, σ to generate a matrix B * ζ ∈ Z m×m , and the encryption key is ek σ ζ = B * ζ . If q i ̸ = q * , B aborts, else, B defines the ciphertext CT * as follows: to the adversary A. Query phase 2: The adversary A can acquire the encryption key and decryption key by querying the algorithm B as described in the Query Phase 1, however, σ i ̸ = σ 0 and σ 1 .
Guess: A outputs a bit ζ ′ . Then (u i , θ i ) ∈ Z n q × Z q belongs to the distribution O s if ζ ′ = ζ . Otherwise, (u i , θ i ) ∈ Z n q × Z q is uniformly sampled from Z n q × Z q . VOLUME 11, 2023 Now let's analyze the probability of successful simulation. The termination probabilities of the game are 1 q H 2 and 1− 1 q H 2 in Query phase 1 and Challenge phase respectively. So the probability of success of the simulation is 1 − 1 If (u i , θ i ) ∈ Z n q ×Z q belongs to the distribution O s , then we have θ i = u T i v + y i (y i ← χ ). Thus, the ciphtertext CT * = (θ * , c * 0 , µ * ) constructed in Challenge phase satisfies and CT * is a valid challenge ciphtertext. Therefore, the adversary A holds his ϵ advantage, and Pr[ζ ′ = ζ ] ≥ 1 2 +ϵ. If (u i , θ i ) ∈ Z n q × Z q is uniformly sampled from Z n q × Z q , then θ i is random in Z q and then leads to c * 0 is also random in Z q . Therefore, the challenge ciphtertext CT * does not reveal any information about ζ ∈ {0, 1} to any legitimate adversary.
) ϵ in solving the LWE assumption. □ Theorem 5: If the SIS assumption holds, there is no PPT adversaries that can break the EU-CMA security for our proposed LMIBE scheme with parameters (n, m, σ, α, q) similar to section V-B.
Proof: Assume LMIBE does not satisfy EU-CMA security definition. Then there exists an adversary A that can break the proposed scheme with a non-negligible advantage ϵ. Therefore, we can construct an algorithm B that interacts with A to settle the SIS problem. To resolve the SIS problem, algorithm B communicates with A in the following way.
Initial: A submits snd * as challenge. Setup: B selects a random matrix A 0 ∈ Z n×m q and sends pk = A 0 to A.

VI. THEORETICAL EVALUATION
In the present section, we will make a comparison to evaluate our proposed LMIBE scheme and partial existing IBE schemes based on lattices [25], [36], [37] with respect to communication and computation costs in theory. In addition, we also compare our scheme and other related schemes [7], [25], [36], [37] in respect of features of post-quantum and access control for the sender.
We reveal the communication cost in Table 1 and the computation cost in Table 2 for our LMIBE scheme. Specifically, we compare the communication cost of LMIBE with the existing lattice-based IBE schemes in aspects of public parameters, encryption keys size, decryption keys size, and ciphertext size in Table 1. We also make a comparison for the computation cost of algorithms such as Setup, SKGen, RKGen, Enc, Verify, and Dec between our LMIBE scheme and the existing schemes. In Table 2, T TG , T SB , T SP , T SL , T SD refer to the cost of computing algorithms TrapGen, SampleBasis, SamplePre, SampleLeft, and SampleD respectively. Using T ha as the cost of a hash function. We use (·) mul to denote the multiplication cost between matrixes or vectors.
In terms of communication cost demonstrated in Table 1, the public parameter size and Decryption keys size in LMIBE is smaller than that of other listed schemes [25], [36], [37]. Even though LMIBE needs to store the encryption key, it supports access control for the sender. The ciphertext size of the LMIBE scheme is slightly bigger than those of [25], [36], and [37] since our LMIBE scheme supports the verifying function for the identity of the sender.
For computation cost, from Table 2, our LMIBE scheme has analogous computation cost in the Setup with the schemes from [25] and [36] since they demand to run TrapGen to acquire public parameters and master secret keys. We also note that the computation cost of the scheme [37] in the Setup is more than that of LMIBE. Schemes of [25], [36], and [37] in Table 2 have no requirements for encryption key generation algorithm because of their unidirectional access control. Our LMIBE scheme supports outsourcing sender verification by sanitizer, but the other schemes [25], [36], [37] do not support it. In addition, the computation costs are less than those of [25], [36], [37] for RKGen, Enc and Dec, and thus are more efficient than other schemes in Table 2.    Table 3, we also note that although the scheme [7] has access control for the sender, it cannot resist quantum attack. The schemes [25], [36], [37] have the function of post-quantum, but without restriction for the identity of the sender. Our proposed scheme LMIBE supports the above-stated two properties simultaneously.

VII. CONCLUSION
To ensure secure messages of IoT transferring, we construct the LMIBE scheme based on lattice that supports bilateral identity access control and against quantum attacks. Such system models allow the receiver to have the permission to identify ciphertexts from unauthorized senders with little costly data decryption. Furthermore, by outsourcing a large amount of work load of verification to the sanitizer, it can prevent the dangerous information from invading computers through messages, and reduce the burden of the terminal equipment at the same time. In short, we trust that LMIBE meets some requirements in various IoT application areas for providing data privacy, ciphertext identification, and postquantum attacks simultaneously.
XUFENG TAO received the B.S. degree in mathematics and applied mathematics from Shanxi Datong University, China, in 2013. He is currently pursuing the postgraduate degree with the College of Information and Computer, Taiyuan University of Technology. His main research interests include lattice-based cryptography and information security.
YAN QIANG received the M.S. and Ph.D. degrees in computer applications technology from the Taiyuan University of Technology, China, in 1999 and 2010, respectively. He is currently a Professor with the College of Information and Computer, Taiyuan University of Technology. His current research interests include cloud computing, image big data processing, medical image computer-aided diagnosis technology, and cryptography.
PENG WANG received the Ph.D. degree in computer science from Chongqing University, China, in 2020. He is currently a Lecturer with the School of Intelligent Technology and Engineering, Chongqing University of Science and Technology, China. His current research interests include public-key cryptography, lattice-based cryptography, and access control.